PoSh-R2PowerShell - Rapid Response (PoSH-R2)... For the incident responder in you!

PoSH-R2 is a set of Windows Management Instrumentation (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges and authentication is done via a Network logon. Retreived data is written to CSVs and SQLite databases on the system running the script.

In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:

    - Autorun entries
    - Disk info
    - Environment variables
    - Event logs (50 lastest)
    - Installed Software
    - Logon sessions
    - List of drivers
    - List of mapped network drives
    - List of running processes
    - Logged in user
    - Local groups
    - Local user accounts
    - Network configuration
    - Network connections
    - Patches
    - Scheduled tasks with AT command
    - Shares
    - Services
    - System Information

Usage

1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts.
   
2. Data will be saved to a new directory called "PoSH_R2--Results" within the same directory from which this script was executed from.
   

Additional Notes

• This script will work with PowerShell version 2 and above

Screenshots

Running the script


A listing of the results written to csv files



A listing of the databases



Reading the data back into PowerShell using out-gridview (import-csv .<some_file.csv> | out-gridview)


Filtering only on splunk.exe. From the screenshot, we see it is running on six systems